NSX 6.2 to 6.4 upgrade doesn't preserve Grouping O...

lucasjb · ‎02-21-2018

Hi Community,

I've recently upgraded a my vSphere infrastructure: VCSA 6.0 to 6.5, ESXi 6.0 to 6.5 and finally NSX 6.2 to 6.3 to 6.4 (attempting to go directly from 6.2 to 6.4 simply didn't work). My only use for NSX has been the distributed firewall. I made sure to export the Firewall config before the upgrade as well as the Service Composer config. My problem is that post-upgrade, NSX has not preserved Grouping Objects and Security Tags and I was making extensive use of these (defining my own Security Groups, IP Sets and Services as well using Security Tags on VMs to determine their firewall security profile). When I try to import my Service Composer config into 6.4, it complains about missing Services that I had defined in the previous installation.

I've reinstalled NSX Manager 6.2 and restored a backup of its config, if I reconnect it to vCenter the Grouping Objects and Security Tags are still present, but there doesn't seem to be any way to export these other than saving some things to CSV files (having said that I can't really understand why they aren't preserved through the upgrade process).

I wonder if this is an expected outcome of the upgrade process or if I've done something wrong or missed a step? If so I can revert to 6.2 and upgrade again. Otherwise, is there some way I can export my Grouping Objects and Security Tags from the previous installation and import them to the new one? I can't see an obvious way to do this—REST API perhaps?

Hoping someone has some advice or I'm starting from scratch with my distributed firewall config.

Thanks,

--

Lucas

cnrz · ‎02-21-2018

For some 6.2.x (> 6.2.4 and above) versions, direct upgrade from 6.2 to 6.4 is supported, as in the Vmware Product Interoperability Matrix. So if the current version is 6.2.4 and above, one step upgrade is possible. Which version of 6.2 is used?

Also Vcenter 6.0 U2 supports NSX Versions from 6.2 upto 6.4, so it would be better to First Upgrade NSX version to 6.4, and after checking the dFW configurations, as a second step upgrading the VCSA from 6.0 to 6.5.

Is the procedure of exporting and importing the dFW configurations as below link?

http://vcrooky.com/2017/07/saveexportimportload-distributed-firewall-configurations/

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/rn/releasenotes_nsx_vsphere_640.html

https://www.vmware.com/resources/compatibility/sim/interop_matrix.php#upgrade&solution=93

lucasjb · ‎02-21-2018

Hi canero,

Thanks for your reply. My NSX upgrade was 6.2.2 => 6.3.5 => 6.4.0. I didn't carefully read the information about supported upgrades and I can see I've taken a path that's unsupported. I'll revert to 6.2.2 and try 6.2.2 => 6.2.9 => 6.4.0 and hopefully my configuration can be retained in that case.

I did follow those steps for exporting the dfw configuration and it works fine, however the configuration that I'm missing is Grouping Objects and Security Tags, I really need those. I hope that using a different upgrade path will see them retained.

Thanks for your help.

--

Lucas

lucasjb · ‎02-25-2018

Just to report back: 6.2.2 => 6.2.9 => 6.4.0 failed, the appmgt-webserver application didn't seem to deploy properly. Going from 6.2.2 => 6.2.9 => 6.3.5 seems to work properly, so I think I'm just going to stick on that version for now.

KarthikKumaran · ‎10-24-2018

i can see you finally said 6.2.2 => 6.2.9 => 6.3.5 had no problems. while upgrading from 6.2.2 to 6.2.9 did you just have to upgrade the NSX Manager alone (leaving the other components in 6.2.2) and directly were able to upgrade everything to 6.3.5?

I am referring to this KB -> https://kb.vmware.com/s/article/51624

which says upgrading the NSX Manager to 6.2.9 alone is sufficient. So just want to check how you handled this upgrade. Your response will be very much helpful for my upgrade plan from 6.2.2->6.2.9->6.3.6>6.4.1

All

NSX 6.2 to 6.4 upgrade doesn't preserve Grouping Objects or Security Tags?